Friday, 11 April 2014

New Privacy Principles and your Business

Last month there was a change to the laws concerning privacy in Australia and while the big end of town will have looked at this in detail, and it applies to private businesses with a turnover of $3 million or more, the core principles are something that all businesses operating in Australia should understand and respect. And if the Act now applies to you, take care that your business is compliant.

From 12 March 2014, the Australian Privacy Principles (APPs) replaced the National Privacy Principles (that applied to government) and the Information Privacy Principles (that applied to business) so that now there's one set of principles for all, with the one exemption concerning the handling of confidential employee information, which has its own guidelines and rules.

The 13 new 'harmonised' APPs govern the kinds of information that organisations can collect, and also how they may hold, use and disclose this information. It's hard to offer a short summary, and we recommend that you look at these in detail here to assess their impact on your business.

In general terms we understand the underlying ethics: organisations should collect information with consent to the extent that it is necessary to perform agreed actions, and use that information for the purpose that it was intended. The principals also specify that individuals have the right to ask for access to that information without charge, and to update it if they wish. Organisations must also give individuals the option to provide data with anonymity where this is practicable, and provide clear instructions about how an individual can complain about a breach of the Australian Privacy Principles.

Distinctions are made between sensitive and non-sensitive information, and under what conditions information can be disclosed to third parties; the need for the information to perform actions expected and required is a key consideration in the case of sensitive information, particularly. In the case of less sensitive information used in direct marketing, there is now an additional requirement - beyond having collected the information from an individual - that the person would reasonably expect the organisation to use or disclose the information for that purpose.

Key changes relate to whether information is likely to be disclosed to recipients overseas, and if so, whether it is practicable to specify those countries in the organisation's Privacy Policy; partly this is prompted by concerns with the online storage of personal information in servers overseas, and the security of that information if it is hacked. The breach of Linked In security last year occurred when their servers were hacked in Ireland, for example. Under the new privacy laws, overseas IT providers are required to abide by local Australian laws for any business they conduct in Australia.

Australian Privacy Principle 4 concerning the receipt of unsolicited information by an organisation is interesting. Essentially the organisation must destroy the information if it determines that it could not have collected the information under AAP 3 if it had solicited the information. If you consider the amount of information being gathered through many sources online and aggregated in sophisticated marketing overlays that has not been expressly provided by individuals to these companies with their knowledge and consent for use, I wonder if we will see further refinement of this principle to cover publicly available information used for private purposes without consent in future years?

The bottom line is that all organisations, including private companies, must review their Privacy Policies and procedures in the light of recent changes or find themselves potentially in breach of the legislation.

No comments:

Post a Comment